1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-10 01:18:15 +03:00

dbcheck: Add check and test for various invalid userParameters values

Bug: https://bugzilla.samba.org/show_bug.cgi?id=8077
Change-Id: I6f2f4169856ce78c62e3a7e74b48520cca9cb9ae
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
Andrew Bartlett 2014-06-17 16:00:57 +12:00 committed by Stefan Metzmacher
parent d7b4d10aba
commit 9bfbff6543
2 changed files with 244 additions and 0 deletions

View File

@ -20,6 +20,7 @@
import ldb import ldb
import samba import samba
import time import time
from base64 import b64decode
from samba import dsdb from samba import dsdb
from samba import common from samba import common
from samba.dcerpc import misc from samba.dcerpc import misc
@ -64,6 +65,9 @@ class dbcheck(object):
self.fix_replmetadata_zero_invocationid = False self.fix_replmetadata_zero_invocationid = False
self.fix_deleted_deleted_objects = False self.fix_deleted_deleted_objects = False
self.fix_dn = False self.fix_dn = False
self.fix_base64_userparameters = False
self.fix_utf8_userparameters = False
self.fix_doubled_userparameters = False
self.reset_well_known_acls = reset_well_known_acls self.reset_well_known_acls = reset_well_known_acls
self.reset_all_well_known_acls = False self.reset_all_well_known_acls = False
self.in_transaction = in_transaction self.in_transaction = in_transaction
@ -522,6 +526,58 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
"Failed to correct missing instanceType on %s by setting instanceType=%d" % (obj.dn, calculated_instancetype)): "Failed to correct missing instanceType on %s by setting instanceType=%d" % (obj.dn, calculated_instancetype)):
self.report("Corrected instancetype on %s by setting instanceType=%d" % (obj.dn, calculated_instancetype)) self.report("Corrected instancetype on %s by setting instanceType=%d" % (obj.dn, calculated_instancetype))
def err_short_userParameters(self, obj, attrname, value):
# This is a truncated userParameters due to a pre 4.1 replication bug
self.report("ERROR: incorrect userParameters value on object %s. If you have another working DC that does not give this warning, please run 'samba-tool drs replicate --full-sync --local <destinationDC> <sourceDC> %s'" % (obj.dn, self.samdb.get_nc_root(obj.dn)))
def err_base64_userParameters(self, obj, attrname, value):
'''handle a wrong userParameters'''
self.report("ERROR: wrongly formatted userParameters %s on %s, should not be base64-encoded" % (value, obj.dn))
if not self.confirm_all('Convert userParameters from base64 encoding on %s?' % (obj.dn), 'fix_base64_userparameters'):
self.report('Not changing userParameters from base64 encoding on %s' % (obj.dn))
return
m = ldb.Message()
m.dn = obj.dn
m['value'] = ldb.MessageElement(b64decode(obj[attrname][0]), ldb.FLAG_MOD_REPLACE, 'userParameters')
if self.do_modify(m, [],
"Failed to correct base64-encoded userParameters on %s by converting from base64" % (obj.dn)):
self.report("Corrected base64-encoded userParameters on %s by converting from base64" % (obj.dn))
def err_utf8_userParameters(self, obj, attrname, value):
'''handle a wrong userParameters'''
self.report("ERROR: wrongly formatted userParameters on %s, should not be psudo-UTF8 encoded" % (obj.dn))
if not self.confirm_all('Convert userParameters from UTF8 encoding on %s?' % (obj.dn), 'fix_utf8_userparameters'):
self.report('Not changing userParameters from UTF8 encoding on %s' % (obj.dn))
return
m = ldb.Message()
m.dn = obj.dn
m['value'] = ldb.MessageElement(obj[attrname][0].decode('utf8').encode('utf-16-le'),
ldb.FLAG_MOD_REPLACE, 'userParameters')
if self.do_modify(m, [],
"Failed to correct psudo-UTF8 encoded userParameters on %s by converting from UTF8" % (obj.dn)):
self.report("Corrected psudo-UTF8 encoded userParameters on %s by converting from UTF8" % (obj.dn))
def err_doubled_userParameters(self, obj, attrname, value):
'''handle a wrong userParameters'''
self.report("ERROR: wrongly formatted userParameters on %s, should not be double UTF16 encoded" % (obj.dn))
if not self.confirm_all('Convert userParameters from doubled UTF-16 encoding on %s?' % (obj.dn), 'fix_doubled_userparameters'):
self.report('Not changing userParameters from doubled UTF-16 encoding on %s' % (obj.dn))
return
m = ldb.Message()
m.dn = obj.dn
m['value'] = ldb.MessageElement(obj[attrname][0].decode('utf-16-le').decode('utf-16-le').encode('utf-16-le'),
ldb.FLAG_MOD_REPLACE, 'userParameters')
if self.do_modify(m, [],
"Failed to correct doubled-UTF16 encoded userParameters on %s by converting" % (obj.dn)):
self.report("Corrected doubled-UTF16 encoded userParameters on %s by converting" % (obj.dn))
def err_odd_userParameters(self, obj, attrname):
# This is a truncated userParameters due to a pre 4.1 replication bug
self.report("ERROR: incorrect userParameters value on object %s (odd length). If you have another working DC that does not give this warning, please run 'samba-tool drs replicate --full-sync --local <destinationDC> <sourceDC> %s'" % (obj.dn, self.samdb.get_nc_root(obj.dn)))
def find_revealed_link(self, dn, attrname, guid): def find_revealed_link(self, dn, attrname, guid):
'''return a revealed link in an object''' '''return a revealed link in an object'''
res = self.samdb.search(base=dn, scope=ldb.SCOPE_BASE, attrs=[attrname], res = self.samdb.search(base=dn, scope=ldb.SCOPE_BASE, attrs=[attrname],
@ -1164,6 +1220,40 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
error_count += 1 error_count += 1
continue continue
if str(attrname).lower() == 'userparameters':
if len(obj[attrname][0]) == 1 and obj[attrname][0][0] == '\x20':
error_count += 1
self.err_short_userParameters(obj, attrname, obj[attrname])
continue
elif obj[attrname][0][:16] == '\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00\x20\x00':
# This is the correct, normal prefix
continue
elif obj[attrname][0][:20] == 'IAAgACAAIAAgACAAIAAg':
# this is the typical prefix from a windows migration
error_count += 1
self.err_base64_userParameters(obj, attrname, obj[attrname])
continue
elif obj[attrname][0][1] != '\x00' and obj[attrname][0][3] != '\x00' and obj[attrname][0][5] != '\x00' and obj[attrname][0][7] != '\x00' and obj[attrname][0][9] != '\x00':
# This is a prefix that is not in UTF-16 format for the space or munged dialback prefix
error_count += 1
self.err_utf8_userParameters(obj, attrname, obj[attrname])
continue
elif len(obj[attrname][0]) % 2 != 0:
# This is a value that isn't even in length
error_count += 1
self.err_odd_userParameters(obj, attrname, obj[attrname])
continue
elif obj[attrname][0][1] == '\x00' and obj[attrname][0][2] == '\x00' and obj[attrname][0][3] == '\x00' and obj[attrname][0][4] != '\x00' and obj[attrname][0][5] == '\x00':
# This is a prefix that would happen if a SAMR-written value was replicated from a Samba 4.1 server to a working server
error_count += 1
self.err_doubled_userParameters(obj, attrname, obj[attrname])
continue
# check for empty attributes # check for empty attributes
for val in obj[attrname]: for val in obj[attrname]:
if val == '': if val == '':

View File

@ -15,6 +15,11 @@ shift 2
release_dir=`dirname $0`/../../source4/selftest/provisions/$RELEASE release_dir=`dirname $0`/../../source4/selftest/provisions/$RELEASE
ldbmodify="ldbmodify"
if [ -x "$BINDIR/ldbmodify" ]; then
ldbmodify="$BINDIR/ldbmodify"
fi
undump() { undump() {
if test -x $BINDIR/tdbrestore; if test -x $BINDIR/tdbrestore;
then then
@ -24,6 +29,109 @@ undump() {
fi fi
} }
add_userparameters0() {
if [ x$RELEASE = x"release-4-1-0rc3" ]; then
$ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb <<EOF
dn: cn=localdc,cn=domain controllers,dc=release-4-1-0rc3,dc=samba,dc=corp
changetype: modify
replace: userParameters
userParameters:: IAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC
AAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUAAQABoACAAB
AEMAdAB4AEMAZgBnAFAAcgBlAHMAZQBuAHQANTUxZTBiYjAYAAgAAQBDAHQAeABDAGYAZw
BGAGwAYQBnAHMAMQAwMGUwMDAxMBYACAABAEMAdAB4AEMAYQBsAGwAYgBhAGMAawAwMDAw
MDAwMBIACAABAEMAdAB4AFMAaABhAGQAbwB3ADAxMDAwMDAwKAAIAAEAQwB0AHgATQBhAH
gAQwBvAG4AbgBlAGMAdABpAG8AbgBUAGkAbQBlADAwMDAwMDAwLgAIAAEAQwB0AHgATQBh
AHgARABpAHMAYwBvAG4AbgBlAGMAdABpAG8AbgBUAGkAbQBlADAwMDAwMDAwHAAIAAEAQw
B0AHgATQBhAHgASQBkAGwAZQBUAGkAbQBlADAwMDAwMDAwIgAIAAEAQwB0AHgASwBlAHkA
YgBvAGEAcgBkAEwAYQB5AG8AdQB0ADAwMDAwMDAwKgACAAEAQwB0AHgATQBpAG4ARQBuAG
MAcgB5AHAAdABpAG8AbgBMAGUAdgBlAGwAMDAgAAIAAQBDAHQAeABXAG8AcgBrAEQAaQBy
AGUAYwB0AG8AcgB5ADAwIAACAAEAQwB0AHgATgBXAEwAbwBnAG8AbgBTAGUAcgB2AGUAcg
AwMBgAJAABAEMAdAB4AFcARgBIAG8AbQBlAEQAaQByADVjNWM3MzYxNzQ3NTcyNmU2NTVj
NzAyZTYyNjk2NDZmNmUwMCIABgABAEMAdAB4AFcARgBIAG8AbQBlAEQAaQByAEQAcgBpAH
YAZQA1MDNhMDAgADoAAQBDAHQAeABXAEYAUAByAG8AZgBpAGwAZQBQAGEAdABoADVjNWM3
MzYxNzQ3NTcyNmU2NTVjNzA3MjZmNjY2OTZjNjU3NDczNjU1YzcwMmU2MjY5NjQ2ZjZlMD
AiAAIAAQBDAHQAeABJAG4AaQB0AGkAYQBsAFAAcgBvAGcAcgBhAG0AMDAiAAIAAQBDAHQA
eABDAGEAbABsAGIAYQBjAGsATgB1AG0AYgBlAHIAMDA=
-
EOF
fi
}
add_userparameters1() {
if [ x$RELEASE = x"release-4-1-0rc3" ]; then
$ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb <<EOF
dn: cn=administrator,cn=users,dc=release-4-1-0rc3,dc=samba,dc=corp
changetype: modify
replace: userParameters
userParameters: IAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC
AAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUAAQABoACAAB
AEMAdAB4AEMAZgBnAFAAcgBlAHMAZQBuAHQANTUxZTBiYjAYAAgAAQBDAHQAeABDAGYAZw
BGAGwAYQBnAHMAMQAwMGUwMDAxMBYACAABAEMAdAB4AEMAYQBsAGwAYgBhAGMAawAwMDAw
MDAwMBIACAABAEMAdAB4AFMAaABhAGQAbwB3ADAxMDAwMDAwKAAIAAEAQwB0AHgATQBhAH
gAQwBvAG4AbgBlAGMAdABpAG8AbgBUAGkAbQBlADAwMDAwMDAwLgAIAAEAQwB0AHgATQBh
AHgARABpAHMAYwBvAG4AbgBlAGMAdABpAG8AbgBUAGkAbQBlADAwMDAwMDAwHAAIAAEAQw
B0AHgATQBhAHgASQBkAGwAZQBUAGkAbQBlADAwMDAwMDAwIgAIAAEAQwB0AHgASwBlAHkA
YgBvAGEAcgBkAEwAYQB5AG8AdQB0ADAwMDAwMDAwKgACAAEAQwB0AHgATQBpAG4ARQBuAG
MAcgB5AHAAdABpAG8AbgBMAGUAdgBlAGwAMDAgAAIAAQBDAHQAeABXAG8AcgBrAEQAaQBy
AGUAYwB0AG8AcgB5ADAwIAACAAEAQwB0AHgATgBXAEwAbwBnAG8AbgBTAGUAcgB2AGUAcg
AwMBgAJAABAEMAdAB4AFcARgBIAG8AbQBlAEQAaQByADVjNWM3MzYxNzQ3NTcyNmU2NTVj
NzAyZTYyNjk2NDZmNmUwMCIABgABAEMAdAB4AFcARgBIAG8AbQBlAEQAaQByAEQAcgBpAH
YAZQA1MDNhMDAgADoAAQBDAHQAeABXAEYAUAByAG8AZgBpAGwAZQBQAGEAdABoADVjNWM3
MzYxNzQ3NTcyNmU2NTVjNzA3MjZmNjY2OTZjNjU3NDczNjU1YzcwMmU2MjY5NjQ2ZjZlMD
AiAAIAAQBDAHQAeABJAG4AaQB0AGkAYQBsAFAAcgBvAGcAcgBhAG0AMDAiAAIAAQBDAHQA
eABDAGEAbABsAGIAYQBjAGsATgB1AG0AYgBlAHIAMDA=
-
EOF
fi
}
add_userparameters2() {
if [ x$RELEASE = x"release-4-1-0rc3" ]; then
$ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb <<EOF
dn: cn=krbtgt,cn=users,dc=release-4-1-0rc3,dc=samba,dc=corp
changetype: modify
replace: userParameters
userParameters:: Q3R4Q2ZnUHJlc2VudCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgI
CAgUAsaCAFDdHhDZmdQcmVzZW5045S15pSx5oiw44GiIAIBQ3R4V0ZQcm9maWxlUGF0aOOAsBgCAU
N0eFdGSG9tZURpcuOAsCICAUN0eFdGSG9tZURpckRyaXZl44CwEggBQ3R4U2hhZG9344Sw44Cw44C
w44CwLggBQ3R4TWF4RGlzY29ubmVjdGlvblRpbWXjgaXjjLnjkLDjgLAoCAFDdHhNYXhDb25uZWN0
aW9uVGltZeOAtOOct+aIseOAsBwIAUN0eE1heElkbGVUaW1l44Gj45yy46Sw44CwIAIBQ3R4V29ya
0RpcmVjdG9yeeOAsBgIAUN0eENmZ0ZsYWdzMeOAsOOBpuOYsuOAuCICAUN0eEluaXRpYWxQcm9ncm
Ft44Cw
-
EOF
fi
}
add_userparameters3() {
if [ x$RELEASE = x"release-4-1-0rc3" ]; then
$ldbmodify -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb <<EOF
dn: cn=guest,cn=users,dc=release-4-1-0rc3,dc=samba,dc=corp
changetype: modify
replace: userParameters
userParameters:: QwAAAHQAAAB4AAAAQwAAAGYAAABnAAAAUAAAAHIAAABlAAAAcwAAAGUAAABuA
AAAdAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAA
AgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAIAAAACA
AAAAgAAAAIAAAACAAAAAgAAAAIAAAACAAAAAgAAAAUAAAAAsAAAAaAAAACAAAAAEAAABDAAAAdAAA
AHgAAABDAAAAZgAAAGcAAABQAAAAcgAAAGUAAABzAAAAZQAAAG4AAAB0AAAANQA1ADEAZQAwAGIAY
gAwACAAAAACAAAAAQAAAEMAAAB0AAAAeAAAAFcAAABGAAAAUAAAAHIAAABvAAAAZgAAAGkAAABsAA
AAZQAAAFAAAABhAAAAdAAAAGgAAAAwADAAGAAAAAIAAAABAAAAQwAAAHQAAAB4AAAAVwAAAEYAAAB
IAAAAbwAAAG0AAABlAAAARAAAAGkAAAByAAAAMAAwACIAAAACAAAAAQAAAEMAAAB0AAAAeAAAAFcA
AABGAAAASAAAAG8AAABtAAAAZQAAAEQAAABpAAAAcgAAAEQAAAByAAAAaQAAAHYAAABlAAAAMAAwA
BIAAAAIAAAAAQAAAEMAAAB0AAAAeAAAAFMAAABoAAAAYQAAAGQAAABvAAAAdwAAADAAMQAwADAAMA
AwADAAMAAuAAAACAAAAAEAAABDAAAAdAAAAHgAAABNAAAAYQAAAHgAAABEAAAAaQAAAHMAAABjAAA
AbwAAAG4AAABuAAAAZQAAAGMAAAB0AAAAaQAAAG8AAABuAAAAVAAAAGkAAABtAAAAZQAAAGUAMAA5
ADMAMAA0ADAAMAAoAAAACAAAAAEAAABDAAAAdAAAAHgAAABNAAAAYQAAAHgAAABDAAAAbwAAAG4AA
ABuAAAAZQAAAGMAAAB0AAAAaQAAAG8AAABuAAAAVAAAAGkAAABtAAAAZQAAADQAMAA3ADcAMQBiAD
AAMAAcAAAACAAAAAEAAABDAAAAdAAAAHgAAABNAAAAYQAAAHgAAABJAAAAZAAAAGwAAABlAAAAVAA
AAGkAAABtAAAAZQAAAGMAMAAyADcAMAA5ADAAMAAgAAAAAgAAAAEAAABDAAAAdAAAAHgAAABXAAAA
bwAAAHIAAABrAAAARAAAAGkAAAByAAAAZQAAAGMAAAB0AAAAbwAAAHIAAAB5AAAAMAAwABgAAAAIA
AAAAQAAAEMAAAB0AAAAeAAAAEMAAABmAAAAZwAAAEYAAABsAAAAYQAAAGcAAABzAAAAMQAAADAAMA
BmADAAMgA2ADgAMAAiAAAAAgAAAAEAAABDAAAAdAAAAHgAAABJAAAAbgAAAGkAAAB0AAAAaQAAAGE
AAABsAAAAUAAAAHIAAABvAAAAZwAAAHIAAABhAAAAbQAAADAAMAA=
-
EOF
fi
}
reindex() { reindex() {
$PYTHON $BINDIR/samba-tool dbcheck --reindex -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@ $PYTHON $BINDIR/samba-tool dbcheck --reindex -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@
} }
@ -54,6 +162,21 @@ dbcheck_acl_reset_clean() {
fi fi
} }
# This should 'fail', because it returns the number of modified records
dbcheck2() {
if [ x$RELEASE = x"release-4-1-0rc3" ]; then
$PYTHON $BINDIR/samba-tool dbcheck --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@
else
exit 1
fi
}
# But having fixed it all up, this should pass
dbcheck_clean2() {
if [ x$RELEASE = x"release-4-1-0rc3" ]; then
$PYTHON $BINDIR/samba-tool dbcheck --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@
fi
}
referenceprovision() { referenceprovision() {
if [ x$RELEASE == x"release-4-0-0" ]; then if [ x$RELEASE == x"release-4-0-0" ]; then
$PYTHON $BINDIR/samba-tool domain provision --server-role="dc" --domain=SAMBA --host-name=ares --realm=${RELEASE}.samba.corp --targetdir=$PREFIX_ABS/${RELEASE}_reference --use-ntvfs --host-ip=127.0.0.1 --host-ip6=::1 $PYTHON $BINDIR/samba-tool domain provision --server-role="dc" --domain=SAMBA --host-name=ares --realm=${RELEASE}.samba.corp --targetdir=$PREFIX_ABS/${RELEASE}_reference --use-ntvfs --host-ip=127.0.0.1 --host-ip6=::1
@ -79,6 +202,12 @@ if [ -d $release_dir ]; then
testit "dbcheck_clean" dbcheck_clean testit "dbcheck_clean" dbcheck_clean
testit_expect_failure "dbcheck_acl_reset" dbcheck_acl_reset testit_expect_failure "dbcheck_acl_reset" dbcheck_acl_reset
testit "dbcheck_acl_reset_clean" dbcheck_acl_reset_clean testit "dbcheck_acl_reset_clean" dbcheck_acl_reset_clean
testit "add_userparameters0" add_userparameters1
testit "add_userparameters1" add_userparameters1
testit "add_userparameters2" add_userparameters2
testit "add_userparameters3" add_userparameters3
testit_expect_failure "dbcheck2" dbcheck2
testit "dbcheck_clean2" dbcheck_clean2
testit "referenceprovision" referenceprovision testit "referenceprovision" referenceprovision
testit "ldapcmp" ldapcmp testit "ldapcmp" ldapcmp
testit "ldapcmp_sd" ldapcmp_sd testit "ldapcmp_sd" ldapcmp_sd
@ -108,6 +237,31 @@ EOF
subunit_skip_test "dbcheck_clean_acl_reset" <<EOF subunit_skip_test "dbcheck_clean_acl_reset" <<EOF
no test provision no test provision
EOF EOF
subunit_start_test add_userparameters0
subunit_skip_test add_userparameters0<<EOF
no test provision
EOF
subunit_start_test add_userparameters1
subunit_skip_test add_userparameters1<<EOF
no test provision
EOF
subunit_start_test add_userparameters2
subunit_skip_test add_userparameters2<<EOF
no test provision
EOF
subunit_start_test add_userparameters3
subunit_skip_test add_userparameters3<<EOF
no test provision
EOF
subunit_start_test "dbcheck2"
subunit_skip_test "dbcheck2" <<EOF
no test provision
EOF
subunit_start_test "referenceprovision" subunit_start_test "referenceprovision"
subunit_skip_test "referenceprovision" <<EOF subunit_skip_test "referenceprovision" <<EOF
no test provision no test provision